* The Defense Department approves, funds and requires IT certification

We’ve devoted many issues of this newsletter to discuss whether certifications are becoming less important than work experience and business skills. Judging by the most recent skills pay surveys by Foote Partners, employers are now more likely to give pay hikes to experienced folks vs. certified techies (search the newsletter index for our discussions on this topic).

Reader Gene Simpson wrote in to say there is one major employer that does require certifications of its IT employees and contractors – the Department of Defense. Simpson CISSP, CISA, CCIE #15256, is a computer security specialist and a MIST student at the University of Maryland, University College studying information assurance. He writes:

“Both surveys and the industry press have predicted the demise of the IT certification industry. Studies show declines in certifications awarded, and in the salaries awarded for certified skills. The conventional wisdom of today is that IT certifications are not worth the paper they are printed on.

“All of this makes Department of Defense Directive 8570 all the more remarkable. DOD 8570.01-M, issued in December of 2005, requires that many civilian and military IT professionals have information assurance certifications.

“The directive requires new hires to agree to obtain certification as a “condition of employment” within 6 months of being hired. In addition, many DOD contracts are to require the contractor to report on the certification status of IT professionals working on the contract. And under current plans, requires that by the end of 2008, 40% of the affected IT professionals are to have one of the approved certifications. To facilitate this, the National Defense Authorization Act for Fiscal Year 2006 authorizes the Pentagon to pay for certifications for members of the armed forces (see title 10, chapter 101 of the United States Code).

“DOD 8570.01-M specifies a list of approved information assurance certifications issued not by the military, but by the certification industry. This list is split into two tracks, technical and managerial, with three levels each. For each track and level, there are specific industry certifications approved to meet the requirement.

“DOD 8570.01-M Approved IT Certifications:

Technical Level 1

A+

Network+

SSCP

Technical Level 2

GSEC

Security+

SCNP

SSCP

Technical Level 3

CISA

CISSP

GSE

SCNA

Managerial Level 1

GISF

GSLC

Security+

Managerial Level 2

GSLC

CISM

CISSP

Managerial Level 3

GSLC

CISM

CISSP

“In addition to the approved list of certifications, which are vendor-neutral, DOD 8570-01-M specifies that system administrators with admin and/or root privileges (privileged users in DOD parlance) “MUST OBTAIN APPROPRIATE COMPUTING ENVIRONMENT (CE) CERTIFICATIONS for the operating system(s) they support” The DOD has taken a strong stand on the IT certification debate. In the DOD 8570.01-M manual, the Pentagon has approved 12 IT certifications, and classified them into three levels of difficulty. It has also made these certifications a reportable requirement for the hiring, promotion, and retention of many IT professionals working in both the DOD and for military contractors, and Federal law has been modified to allow the Pentagon to pay for certifications for members of the armed forces. Furthermore, the directive contains language requiring system and network administrators to obtain vendor certifications for the systems they operate.

“The final impact of DOD 8570.01-M has yet to be seen. The scope of the directive, especially where it concerns DOD contractors, is unknown, as is the Pentagon’s ideas on “CERTIFICATIONS for the operating system(s) they support”. However, it is clear that the Pentagon has issued a strong statement in the certification debate, and one that contradicts the conventional wisdom.”